announce

Messages by Thread

[ANNOUNCE] Apache Commons Logging 1.4.0 Gary Gregory
CVE-2026-49268: Apache Shiro: LDAP DN Injection in DefaultLdapRealm Lenny Primak
CVE-2026-41280: Apache DolphinScheduler: Incorrect Authorization vulnerability allows users with system login privileges to delete task definitions in unauthorized projects Wenjun Ruan
CVE-2026-49050: Apache DolphinScheduler: General user can mint admin access tokens via /access-tokens Wenjun Ruan
CVE-2026-47340: Apache DolphinScheduler: An incorrect authorization vulnerability allows authenticated users to access alert instances associated with alert groups they do not have permission to access. Wenjun Ruan
CVE-2026-42357: Apache DolphinScheduler: Incorrect Authorization vulnerability allows users to access workflow instance information belonging to projects they do not have permission to access. Wenjun Ruan
CVE-2026-32967: Apache DolphinScheduler: The `/v2` experimental interface lacks permission checks Wenjun Ruan
CVE-2026-32966: Apache DolphinScheduler: DataSource API Missing Authorization Check Leads to Arbitrary Data Source Metadata Disclosure Wenjun Ruan
[ANNOUNCE] Apache Fory 1.2.0 released Shawn Yang
[ANN] Apache TomEE 11.0.0-M1 Richard Zowalla
CVE-2026-50203: Apache Airflow SFTP provider: Path traversal in SFTPHook.retrieve_directory allows local file write outside the destination directory via malicious server-supplied directory-entry names Jarek Potiuk
[ANN] Apache Tomcat Native 1.3.8 released Mark Thomas
[ANN] Apache Tomcat Native 2.0.15 released Mark Thomas
[ANN] Maven Executor 1.0.0 released Tamás Cservenák
[ANNOUNCE] Apache Pulsar Go Client 0.20.0 released Zike Yang
[ANNOUNCE] Apache Pulsar Client C++ 4.2.0 released Yunze Xu
[ANNOUNCE] Apache Flink 1.20.5 released Yunfeng Zhou
[ANNOUNCE] Apache Flink 2.1.3 released Yunfeng Zhou
[ANNOUNCE] Apache Zeppelin 0.12.1 available Jongyoul Lee
[ANNOUNCE] Apache Airflow Providers prepared on 2026-06-08 are released Jarek Potiuk
[ANNOUNCEMENT] Commons Daemon 1.6.1 Released Mark Thomas
CVE-2026-50645: Apache CXF: No restriction on attachment headers per message Colm O hEigeartaigh
CVE-2026-50634: Apache CXF: WS JSON request filter trusts metadata from an unvalidated first signature entry Colm O hEigeartaigh
CVE-2026-50633: Apache CXF: JNDI Injection vulnerability in DispatchMDBMessageListenerImpl Colm O hEigeartaigh
CVE-2026-50632: Apache CXF: JNDI Injection Vulnerability in JMSConfigFactory Colm O hEigeartaigh
CVE-2026-50631: Apache CXF: OAuth2: TOCTOU Race Condition in Refresh Token Processing Colm O hEigeartaigh
CVE-2026-50630: Apache CXF: OAuth2: HTTP Response Splitting via WWW-Authenticate Realm Injection Colm O hEigeartaigh
CVE-2026-50628: Apache CXF: OAuth2: Inverted IP Binding Check Defeats Security Control Colm O hEigeartaigh
CVE-2026-50629: Apache CXF: OAuth2: Log Injection via Unsanitized Client Identifier Colm O hEigeartaigh
CVE-2026-50627: Apache CXF: OAuth2: Missing JWT Audience and Issuer Validation in Access Token Validator Colm O hEigeartaigh
CVE-2026-50623: Apache CXF: Authentication Bypass in OAuth2 TokenIntrospectionService Colm O hEigeartaigh
CVE-2026-49875: Apache CXF: XML External Entity (XXE) Injection in W3CMultiSchemaFactory and EndpointReferenceUtils Colm O hEigeartaigh
CVE-2026-50223: Apache OFBiz: DataResource Low-Privileged Authenticated FreeMarker Template Injection Leads to Remote Code Execution Jacopo Cappellato
CVE-2026-47342: Apache OFBiz: Privilege Escalation via updateOrRemove Authorization Bypass Jacopo Cappellato
CVE-2026-25700: Apache Answer: AdminToken not invalidated after admin deactivation Enxin Xie
[ANNOUNCE] Apache Hudi 0.14.2 released Danny Chan
[ANNOUNCEMENT] Apache HTTP Server 2.4.68 Released covener
Apache Olingo is now retired Niall Pemberton
CVE-2026-49818: Apache Airflow Samba provider: Path traversal in GCSToSambaOperator via GCS object names Jarek Potiuk
CVE-2026-25688: Apache Answer: XSS in AI Answer Rendering Enxin Xie
CVE-2026-25699: Apache Answer: Authorization Bypass in Timeline API Enxin Xie
CVE-2026-33582: Apache Answer: Uploading specially crafted TIFF files causes an Out-of-Memory error Enxin Xie
CVE-2026-34031: Apache Answer: The custom avatar was not properly validated Enxin Xie
CVE-2026-34033: Apache Answer: HTML Content Injection in Email Enxin Xie
CVE-2026-34905: Apache Answer: Unlisted Questions Accessible via Direct API Access Enxin Xie
[ANNOUNCE] Apache Pulsar 4.2.2 released Lari Hotari
[ANNOUNCE] Apache Pulsar 4.0.11 released Lari Hotari
CVE-2026-48913: Apache HTTP Server: mod_http2 memory corruption when file handles exhausted Eric Covener
CVE-2026-49975: Apache HTTP Server: mod_http2 denial of service Eric Covener
CVE-2026-44631: Apache HTTP Server: Heap Underflow in `ap_regname` via Signed Char Overflow Eric Covener
CVE-2026-44186: Apache HTTP Server: Loop in `proxy_ftp_handler` in mod_proxy_ftp Eric Covener
CVE-2026-44185: Apache HTTP Server: Stack Buffer Over-Read in mod_ssl OCSP `send_request` Eric Covener
CVE-2026-44119: Apache HTTP Server: escalation of privilege through expressions in .htaccess in multiple modules Eric Covener
CVE-2026-42536: Apache HTTP Server: mod_xml2enc heap overflow Eric Covener
CVE-2026-43951: Apache HTTP Server: OOB Read in `merge_response_headers` can cause crash Eric Covener
CVE-2026-42535: Apache HTTP Server: mod_dav_fs protected directory access Eric Covener
CVE-2026-34356: Apache HTTP Server: ProxyPassReverseCookieMap buffer overflow Eric Covener
CVE-2026-34355: Apache HTTP Server: mod_proxy_html buffer overflow Eric Covener
CVE-2026-29170: Apache HTTP Server: mod_proxy_ftp XSS Eric Covener
CVE-2026-29167: Apache HTTP Server: mod_ldap per-dir use-after-free Eric Covener
[ANNOUNCE] Apache Airflow Providers prepared on 2026-06-02 are released Jarek Potiuk
CVE-2026-47430: Cordova Plugin InAppBrowser: iOS: Arbitrary Cordova callback IDs can be dispatched without validation from InAppBrowser WebViews Niklas Merz
[ANNOUNCE] Release Apache DolphinScheduler 3.4.2 wenjun
[ANN] Apache Tomcat Migration tool for Jakarta EE 1.0.12 Mark Thomas
[ANNOUNCE] Apache Airflow Helm Chart version 1.22.0 Released Jarek Potiuk
[ANNOUNCE] Release Apache Paimon Mosaic 0.1.0 hope
[ANN] Apache CycloneDX Antlib 0.1 Released Stefan Bodewig
CVE-2026-50076: Apache Fory: Java ReplaceResolverSerializer deserialization checks bypass Chaokun Yang
[ANNOUNCE] Release Apache Paimon Rust 0.2.0 yuxia luo
Apache MINA 2.0.29, 2.0.13 and 2.2.8 release Emmanuel Lecharny
[ANNOUNCE] Apache Jackrabbit Oak 2.2.0 released Julian Reschke
CVE-2026-41115: Apache Kafka: Improper Authorization in CONSUMER_GROUP_DESCRIBE API Luke Chen
CVE-2026-46718: Apache Calcite: A user-controled model can load arbitrary classes, leading to code execution Julian Hyde
[ANNOUNCE] Apache APISIX Ingress controller v2.1.0 released Xin Rong
[ANNOUNCE] Apache Fory 1.1.0 released Shawn Yang
[ANNOUNCE] Release Apache OpenDAL 0.57.0 Xuanwo
CVE-2026-49328: Apache Fesod (Incubating): Improper validation of user-supplied URLs leading to SSRF Shuxin Pan
CVE-2026-45192: Apache Airflow: Incomplete Redaction of Sensitive Fields in Connection Extra API Response Rahul Vats
CVE-2026-35563: Apache Directory LDAP API: LDAP client implementation does not verify if the server certificate matches the intended LDAP hostname Emmanuel Lécharny
CVE-2026-49270: Apache ActiveMQ Broker, Apache ActiveMQ, Apache ActiveMQ All: Durable Subscription Disclosure via Crafted BrokerInfo (OpenWire) Christopher L. Shannon
CVE-2026-49157: Apache ActiveMQ: Authenticated low-privilege Web users retain Jolokia broker-management capability by default Christopher L. Shannon
CVE-2026-46605: Apache ActiveMQ Broker, Apache ActiveMQ All, Apache ActiveMQ: Incomplete authorization during destination removal Christopher L. Shannon
CVE-2026-45505: Apache ActiveMQ Broker, Apache ActiveMQ All, Apache ActiveMQ: Jolokia `addNetworkConnector` Discovery Wrapper Bypass Christopher L. Shannon
CVE-2026-42588: Apache ActiveMQ Broker, Apache ActiveMQ All, Apache ActiveMQ: Remote Code Execution via Jolokia addNetworkConnector Christopher L. Shannon
CVE-2026-42253: Apache ActiveMQ, Apache ActiveMQ Web: HTTP Response Header Injection via JMS Message Properties Christopher L. Shannon
CVE-2026-49298: Apache Airflow: JWT Token Exposure in KubernetesExecutor Command-Line Arguments Rahul Vats
CVE-2026-48726: Apache Airflow: revoke_token() unreachable in FabAuthManager / KeycloakAuthManager logout path Rahul Vats
CVE-2026-46764: Apache Airflow: Event Log detail endpoint bypasses DAG-scoped event log permission filter Rahul Vats
CVE-2026-45426: Apache Airflow: Log server JWT authorization bypass via Python lstrip() character stripping allows cross-Dag log access Rahul Vats
CVE-2026-45360: Apache Airflow: Arbitrary import in custom deadline-reference deserialization Rahul Vats
CVE-2026-42359: Apache Airflow: Authenticated RCE via XCom PATCH endpoint — XComUpdateBody missing FORBIDDEN_XCOM_KEYS validator Rahul Vats
CVE-2026-42358: Apache Airflow: Variable masker depth-limit bypass returns cleartext nested secrets Rahul Vats
CVE-2026-42360: Apache Airflow: Rendered template truncation bypasses nested sensitive-key masking Rahul Vats
CVE-2026-42252: Apache Airflow: BashOperator Jinja2 injection via dag_run.conf — low-privilege user pattern Rahul Vats
CVE-2026-41084: Apache Airflow: API authorization bypass: bulk TaskInstances allows cross-DAG mutation Rahul Vats
CVE-2026-41017: Apache Airflow: JWT cookie missing Secure flag in JWTRefreshMiddleware behind HTTPS-terminating proxy Rahul Vats
CVE-2026-49267: Apache Airflow: No certificate validation on SMTP STARTTLS connections Rahul Vats
CVE-2026-41014: Apache Airflow: per-DAG RBAC bypass on /ui/partitioned_dag_runs endpoints Rahul Vats
CVE-2026-40963: Apache Airflow: DAG authorization bypass on /ui/structure/structure_data Rahul Vats
CVE-2026-40961: Apache Airflow: Open Redirect Bypass Vulnerability Rahul Vats
CVE-2026-40861: Apache Airflow: Arbitrary File Read via Log Symlink following in FileTaskHandler Rahul Vats
[ANNOUNCE] Apache ActiveMQ 5.19.7 has been released! Jean-Baptiste Onofré
[ANNOUNCE] Apache ActiveMQ 6.2.6 has been released! Jean-Baptiste Onofré
CVE-2026-49361: Apache Fluss Netty Frame Decoder Memory Exhaustion Vulnerability Jark Wu
[ANN] Apache Maven Daemon 1.0.6 released Tamás Cservenák
[ANNOUNCE] Apache Fesod(Incubating) 2.0.2-incubating released delei
CVE-2026-48827: Apache MINA SSHD: Path traversal in org.apache.sshd:sshd-git Thomas Wolf
CVE-2026-44825: Apache Solr: Enabling BasicAuth using bin/solr CLI configures additional insecure users Jan Høydahl
[ANN] Apache Struts 6.10.0 Lukasz Lenart
[ANNOUNCE] Apache Axis2/Java 2.0.1 Released robertlazarski
[ANNOUNCE] Apache Axis2/C 2.0.0 Released robertlazarski
[ANNOUNCEMENT] Commons Daemon 1.6.0 Released Mark Thomas
[ANNOUNCE] Apache bRPC 1.17.0 released Xiguo Hu
[ANNOUNCE] Apache MINA SSHD 3.0.0-M4 released Thomas Wolf
[ANNOUNCE] Apache MINA SSHD 2.18.0 released Thomas Wolf
[ANNOUNCE] Apache Airflow Providers prepared on 2026-05-25 are released Jens Scheffler
ARTEMIS-5996: CVE-2026-40914: Apache Artemis, Apache ActiveMQ Artemis: Address routing-type can be updated by STOMP protocol user without the createAddress permission Justin Bertram
[ANNOUNCE] Apache Commons Configuration 2.15.1 Gary Gregory
CVE-2026-40564: Apache Flink Kubernetes Operator: Server-Side Request Forgery and local file access in Kubernetes Operator Gyula Fora
[ANNOUNCE] Apache Tika 3.3.1 released Tim Allison
CVE-2026-48589: Apache Shiro: Jakarta EE open redirect via untrusted Referer in post-login redirect flow Lenny Primak
CVE-2026-44598: Apache Shiro Jakarta EE module: Open redirect and SSRF (requires valid credentials) Lenny Primak
CVE-2026-43828: Apache Shiro: Shiro's native session and rememberMe cookies do not have secure flag set by default Lenny Primak
CVE-2026-43827: Apache Shiro: Session fixation: new session is not created after login by default Lenny Primak
[ANN] Apache Syncope 4.0.6 Francesco Chicchiriccò
[ANN] Apache Syncope 4.1.1 Francesco Chicchiriccò
CVE-2026-42797: Apache Syncope: JexlContextBuilder Information Disclosure Francesco Chicchiriccò
CVE-2026-42782: Apache Syncope: Post-auth RCE via Groovy static Francesco Chicchiriccò
[ANNOUNCE] Apache Doris 4.1.1 Mingyu Chen
CVE-2026-46745: Apache Airflow FAB provider: [ Security Report ] LDAP Filter Injection in FAB Auth Manager _search_ldap reachable via /auth/token (ZDRES-223) Jens Scheffler
CVE-2026-45361: Apache Airflow Google provider: SSH host key verification disabled in ComputeEngineSSHHook (paramiko AutoAddPolicy default) Jens Scheffler
[ANNOUNCE] Apache Airflow Providers prepared on 2026-05-19 are released Jens Scheffler
CVE-2026-45249: Apache ECharts: XSS in Lines series tooltip rendering Zhongxiang Wang
[ANNOUNCE] Apache Kafka 4.3.0 Mickael Maison
CVE-2026-44930: Apache CXF: LDAP Injection vulnerability in XKMS LDAP Repository Colm O hEigeartaigh
CVE-2026-44618: Apache CXF: XXE vulnerability in WS-Transfer functionality Colm O hEigeartaigh
CVE-2026-44417: Apache CXF: Incomplete fix for CVE-2025-48913 (Untrusted JMS configuration can lead to RCE) Colm O hEigeartaigh
[ANNOUNCE] Apache Teaclave™ TrustZone SDK 0.9.0 Released Zehui Chen
[ANNOUNCE] Apache Fory 1.0.0 released Shawn Yang
[ANNOUNCE] Apache Pulsar Client Python 3.12.0 released Yunze Xu
CVE-2026-48207: Apache Fory: PyFory ReduceSerializer Incomplete Policy Enforcement Chaokun Yang
https://camel.apache.org/security/CVE-2026-45760.html: CVE-2026-45760: Apache Camel K: Camel K Cross-Namespace Build Deputy Attack Pasquale Congiusti
[ANNOUNCE] Apache Wicket 10.9.1 released Andrea Del Bene
[ANNOUNCE] Apache PDFBox JBIG2 ImageIO plugin 3.0.5 released Andreas Lehmkühler
[ANNOUNCE] Apache NetBeans 30 Released Eric Barboni
[ANNOUNCE] Apache Artemis 2.54.0 Released Justin Bertram
CVE-2026-42526: Apache Airflow Amazon provider: Prevent unauthorized access to team-scoped secrets in AWS Secrets Manager and SSM Parameter Store backends Vincent Beck
CVE-2026-27173: Apache Airflow CNCF Kubernetes provider: JWT Token Exposure in KubernetesExecutor Command-Line Arguments Vincent Beck
[ANNOUNCE] Apache CouchDB 3.5.2 released Jan Lehnardt
[ANNOUNCE] Apache OFBiz 24.09.06 released Jacopo Cappellato
[ANNOUNCE] Apache Storm 2.8.8 Released Rui Abreu
CVE-2026-47323: Apache Camel: Camel-CXF Message Header Injection via Missing Inbound Filtering Andrea Cosentino
CVE-2026-31909: Apache OFBiz: Unauthenticated Shipment Label Image Disclosure Jacopo Cappellato
CVE-2026-46586: Apache OFBiz: Improper Validation in traverseContent Service Enables Authenticated Groovy Code Execution Jacopo Cappellato
CVE-2026-45434: Apache OFBiz: Authentication Bypass via Password-Change Logic Flaw Leading to RCE Jacopo Cappellato
CVE-2026-45187: Apache OFBiz: Improper Authorization in Scheduled Job Creation Allows Low-Privileged Users to Submit System Jobs Jacopo Cappellato
CVE-2026-41919: Apache OFBiz: Authentication Bypass due to Improper Neutralization of LDAP Special Elements in DN Construction Jacopo Cappellato
CVE-2026-35086: Apache OFBiz: Authenticated Remote Code Execution via Unsafe Template Expansion in email services Jacopo Cappellato
CVE-2026-31910: Apache OFBiz: Improper Input Validation in UI Factory Classes Leads to SSRF and Blind File Access Jacopo Cappellato
CVE-2026-31986: Apache OFBiz: Unauthenticated RCE via Default JWT Signing Key and Widget Template Injection Jacopo Cappellato
CVE-2026-31388: Apache OFBiz: Cross-Tenant Data Exposure via Program Export Feature Jacopo Cappellato
CVE-2026-31380: Apache OFBiz: FreeMarker SSTI via Duplicate Parameter Sanitization Bypass Jacopo Cappellato
CVE-2026-31906: Apache OFBiz: Reflected XSS via Improper HTML Attribute Escaping in Layered-Modal Dialog Parameters Jacopo Cappellato
CVE-2026-31379: Apache OFBiz: Path Traversal and File Upload Validation Bypass Leading to Arbitrary File Write, Stored XSS and RCE in Catalog Manager Jacopo Cappellato
CVE-2026-31387: Apache OFBiz: Cookie Manipulation Allows Authenticated JWT Forgery and Account Impersonation Jacopo Cappellato
CVE-2026-31378: Apache OFBiz: JSON Attribute Override and URL Allowlist Bypass Leads to Remote Code Execution Jacopo Cappellato
CVE-2026-29226: Apache OFBiz: Low-Privilege SSRF in Content Component Jacopo Cappellato
CVE-2026-29220: Apache OFBiz: Low-Privilege LFI in Content Component Jacopo Cappellato
CVE-2026-29207: Apache OFBiz: Low-Privilege SSTI Leading to RCE in the Content Component Jacopo Cappellato
[ANN] Apache Maven Enforcer Plugin 3.6.3 Released Tamás Cservenák
[ANN] Maven Resolver 2.0.18 released Tamás Cservenák
[ANN] Apache Maven 3.9.16 released Slawomir Jaranowski
[ANNOUNCE] Apache Flink 2.2.1 released Sergey Nuyanzin
[ANNOUNCE] Apache Wicket 8.18.0 released Andrea Del Bene
CVE-2026-35194: Apache Flink: Remote code execution via SQL injection in code generation Martijn Visser
CVE-2026-45205: Apache Commons Configuration: StackOverflowError for YAML input with cycles Gary D. Gregory
[ANNOUNCE] Apache Commons Configuration 2.15.0 Gary Gregory
[ANNOUNCE] Apache Wicket 9.23.0 released Andrea Del Bene
[SECURITY] CVE-2026-43515 Apache Tomcat - Security constraints not correctly applied Mark Thomas
[SECURITY] CVE-2026-43513 Apache Tomcat - LockOutRealm treats user names as case-sensitive Mark Thomas
[SECURITY] CVE-2026-43514 Apache Tomcat - AJP secret compared in non-constant time Mark Thomas
[SECURITY] CVE-2026-43512 Apache Tomcat - Digest authenticator will authenticate any unknown user Mark Thomas
[SECURITY] CVE-2026-42498 Apache Tomcat - WebSocket authentication header exposure Mark Thomas
[SECURITY] CVE-2026-41293 Apache Tomcat - HTTP/2 request headers not validated Mark Thomas
[SECURITY] CVE-2026-41284 Apache Tomcat - Unbounded read in WebDAV LOCK and PROPFIND handling Mark Thomas
[ANNOUNCE] Apache Burr 0.42.0-incubating released Elijah ben Izzy
[ANNOUNCE] Apache Parquet Java 1.17.1 Gang Wu
[ANNOUNCE] Apache Calcite Avatica 1.28.0 Released Francis Chuang
[ANN] Apache Tomcat 10.1.55 Available Christopher Schultz
[ANNOUNCE] Apache Airflow Providers prepared on 2026-05-05 are released Vincent Beck
[ANNOUNCE] Apache Tika 4.0.0-alpha-1 released Tim Allison
[ANN] Apache Tomcat 9.0.118 available Rémy Maucherat
CVE-2026-41018: Apache Airflow Providers Elasticsearch: Elasticsearch task-log handlers leak credentials embedded in the host URL Shahar Epstein
CVE-2026-43826: Apache Airflow Providers OpenSearch: OpenSearch task-log handler leaks credentials embedded in the host URL Shahar Epstein
[ANNOUNCE] Apache Grails Spring Security 8.0.0-M1 Mattias Reichel
[ADVISORY] Apache CloudStack LTS Security Releases 4.20.3.0 and 4.22.0.1 Daan Hoogland
[ANNOUNCE] Release Apache Paimon Rust 0.1.0 yuxia luo
[ANNOUNCE] Apache Grails 8.0.0-M1 James Fredley
[ANNOUNCE] Apache Pulsar C# Client DotPulsar 5.3.1 released David Jensen
[ANNOUNCE] Apache Groovy 6.0.0-alpha-1 Released Paul King

Earlier messages